Files
notifications-admin/requirements.in
Chris Hill-Scott c2d9a56ff4 Bump Werkzeug to version 2.0.2
This is the newest version.

Pyup is complaining about vulnerabilities in version 1.0.1, specifically
> Werkzeug version 2.0.2 improves the security of the debugger cookies.
> "SameSite" attribute is set to "Strict" instead of "None", and the
> secure flag is added when on HTTPS.

Previously we were using whatever version of Werkzeug that Flask
specified this pins it to get rid of the vulnerability without having to
upgrade everything at once.

This requires a few changes to tests which were relying on importing
`session` and `current_user` from Flask. Previously it seemed that
importing these in the tests referred to the same object that was being
used in the app. This appears to no longer be the case. This commit
works around that by:
- using a context manager to get the contents of the session, like we
  already do in most tests
- asserting that the mock which logs the user in is being called with
  the right values, rather than looking at the state of the
  `current_user` object (which was probably giving false certainty
  anyway)
2021-10-12 10:39:19 +01:00

41 lines
1.2 KiB
Plaintext

# Run `make freeze-requirements` to update requirements.txt
# with package version changes made in requirements-app.txt
ago==0.0.93
govuk-bank-holidays==0.8
humanize==3.6.0
Flask==1.1.2 # pyup: <2
Flask-WTF==0.15.1
Flask-Login==0.5.0
werkzeug==2.0.2
blinker==1.4
pyexcel==0.6.6
pyexcel-io==0.6.4
pyexcel-xls==0.6.2
pyexcel-xlsx==0.6.0
pyexcel-ods3==0.6.0
pytz==2021.1
gunicorn==20.1.0
eventlet==0.30.2 # pyup: ignore
notifications-python-client==6.2.1
Shapely==1.7.1
rtreelib==0.2.0
fido2==0.9.1
# PaaS
awscli-cwlogs>=1.4,<1.5
itsdangerous==1.1.0 # pyup: <2
git+https://github.com/alphagov/notifications-utils.git@46.1.0#egg=notifications-utils==46.1.0
git+https://github.com/alphagov/govuk-frontend-jinja.git@v0.5.8-alpha#egg=govuk-frontend-jinja==0.5.8-alpha
# cryptography 3.4+ incorporates Rust code, which isn't supported on PaaS
# e.g. https://github.com/alphagov/notifications-api/pull/3126
cryptography<3.4 # pyup: ignore
# gds-metrics requires prometheseus 0.2.0, override that requirement as later versions bring significant performance gains
# version 0.10.0 introduced exceptions when workers crashed due to deprecating lower case `prometheus_multiproc_dir`.
prometheus-client>=0.9.0,!=0.10.0
gds-metrics==0.2.4